DEP & AD Lockouts

Dec 9, 2016
1 minute read

An interesting little gotcha that I’ve found in my environment when using Active Directory (AD) to authenticate during the Device Enrolment Program (DEP) setup of a new Mac.

When you turn on authentication in conjunction with DEP, it forces new macs to prompt for user credentials before you can proceed to setup a new Mac. I like using auth as it allows me to get user information from AD such as the users name, position, & team at enrolment with JAMF and means I can really customise their Mac setup.

One of the pitfalls of this is that users are forced to enter AD creds at a pre-boot screen which means they don’t have access to a password manager; not a great experience if this password is particularly complex.

Bypassing the issue of having to look this password up on a mobile device, they now need to type this into their Mac. Here’s where the real fun begins.

After two incorrect password attempts, if on the third try they get the password right, they still won’t be able to login. At this point I login to AD and see that their account is locked. “Hmmm” you might say, that’s only two incorrect password attempts, but I’ve set my lock out policy to allow 6 incorrect attempts.

And that’s where the gotcha comes in. From my testing it appears like every incorrect attempt to auth with AD while setting the Mac up is tried an additional 2 times before reporting back as incorrect. This means that two incorrect attempts by a user is seen as 6 by AD.

I’m not exactly sure why this is happening but I’ve modified my lock out policy to allow 10 incorrect attempts in 1 hour. This will allow the user 3 incorrect attempts on their end. Hopefully they get it right on the 4th try.

James is a dad to an awesome four-year-old and previously lead the glamorous life of a Barista by day and DJ by night. He's now squarely focussed on enabling employees to do their best work as a SysAdmin for Culture Amp